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This listing of claims replaces all prior versions, and 
listings of claims in the instant application: 

Listing of Claims; 

1. (Currently amended) A method of declaring an incident 
in an enterprise comprising: 

providing a number of alert indications containing 
information concerning an incident related to the enterprise; 
and either 

comparing one or more of the alert indications to a set of 
rules, and if a match occurs between the set of rules, and the 
alert indication, declaring an incident based on the match, or 

comparing one or more of the alert indications to a 
decision table containing a number of defined alert events; 
remembering each alert indication that matches one of the 
defined alert events, comparing the remembered alert indication 
to correlation data in the decision table, and if a match 
occurs between the remembered alert indication and the 
correlation data, declaring an incident based on the match; or 

if no match occurs between the alert indication and the 
correlation data or the rules set, declare an incident if the 
alert indication meets a defined default threshold value ; and 

displaying an incident ticket for each incident declared, 
the incident ticket including a description of the incident, a 
conclusion based on the incident description, any actions 
responsive to the conclusion, one or more user-editable 
incident tracking rules which identify one or more further 
alert indications for association with the incident ticket, and 
a detail of the alert indications associated with the incident . 
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2. (Original) The method of claim 1, wherein the defined 
default threshold value is a level of severity in the alert 
indication. 
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3. (Canceled) 

4. (Currently amended) The method of claim 1, further 
comprising the step of tracking further alert indications once 
an incident ticket is declared and associating the further 
alert indications with the incident ticket based on the one or 
more user- editable incident tracking rules. 

5. (Original) The method of claim 4, wherein the 
associating step is performed only if the further alert 
indications pass a threshold value or table lookup from a user- 
editable table which lists enterprise policy attributes 
associated with particular alert codes, categories, or threat 
characterizations . 

6. (Currently amended) The method of claim 4, further 
comprising updating the one or more user-editable incident 
tracking rules based on one or more further alert indications. 

7. (Original) The method of claim 1, wherein the alert 
indications include information having a common format. 

8. (Original) The method of claim 1, wherein the 
enterprise is a network with a number of network devices that 
supply the alert indications for incident declaration. 

9. (Original) The method of claim 1, wherein the default 
defined value derives from a set of rules defining default 
conditions for declaring an incident. 

10. (Currently amended) A system for declaring an 
incident in an enterprise comprising: 

a4- a decision table containing a number of defined alert 
events, and a set of correlation data that identifies patterns 
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in alert indications inputted to the decision table, the 
decision table remembering inputted alert indications matching 
defined alert events, and declaring an incident if a match 
occurs between remembered alert indications and the correlated 
data; 

a set of rules containing a number of query statements, 
wherein a match between at least one of the rules and the 
inputted alert indications result in an incident declaration; 
^ rid 

a set of default standards specifying a minimum value to 
declare an incident should a match not occur with the decision 
tables or set of rules ; and 

a display of the incident as an incident ticket, the 
incident ticket including a description of the incident, a 
conclusion based on the incident description, any actions 
responsive to the conclusion, one or more user-editable 
incident tracking rules which identify one or more further 
alert indications for association with the incident ticket, a 
detail of the alert indications associated with the incident, 
followed by a listing of "raw events 1 ' that, if requested by the 
user, contains information that has been left in the native or 
vendor- specif ic format of the original sensor that produced the 
event . 



11. (Canceled) 
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12. (Original) The system of claim 10, further 
comprising an alert processing system that tracks inputted 
alert indications, filters out inputted alert indications that 
do not meet a threshold value, compares the inputted 
information to a tracking rule to determine whether the 
inputted information should be associated with a declared 
incident . 
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13. (Original) The system of claim 10, further 
comprising a database for storing at least the declared 
incidents . 



14. (Original) The system of claim 12, further 
comprising a database for storing at least the declared 
incidents and alert indications passing the threshold value. 

15. (Original) The system of claim 13, further 
comprising a web server, linking the system to one or more 
users via a global network. 

16. (Original) The system of claim 10, further 
comprising means for displaying the declared incident. 

17. (Original) The system of claim 10, wherein the rules 
are a combination of default rules and customized rules. 

18. (Original) The system of claim 10, wherein the 
enterprise is a network and the inputted information is 
supplied by a number of network devices. 

19. (Original) The system of claim 12, further 
comprising an alert processing system that tracks inputted 
alert indications, filters out inputted alert indications that 
do not meet a threshold value, compares the inputted 
information to a tracking rule to determine whether the 
inputted information should be associated with a declared 
incident . 
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20. (Original) The system of claim 19, wherein the 
enterprise is a network, and the inputted information is 
supplied by a number of network devices. 
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21. (Currently amended) The method of claim ^ 1, 
comprising updating the incident ticket based on an updated 
tracking rule such that the alert indications, conclusions and 
description reflect the updated tracking rule. 

22. (Original) The method of claim 21, wherein the 
tracking rule is updated using human input based on 
observations of reported incidents. 

23. (New) A method of declaring an incident in an 
enterprise comprising : 

providing a number of alert indications containing 
information concerning an incident related to the enterprise ; 
and either 

comparing one or more of the alert indications to a set of 
rules, and if a match occurs between the set of rules, and the 
alert indication, declaring an incident based on the match, or 

comparing one or more of the alert indications to a 
decision table containing a number of defined alert events, 
remembering each alert indication that matches one of the 
defined alert events, comparing the remembered alert indication 
to correlation data in the decision table, and if a match 
occurs between the remembered alert indication and the 
correlation data, declaring an incident based on the match; or 

if no match occurs between the alert indication and the 
correlation data or the rules set, declare an incident if the 
alert indication meets a defined default threshold value; 

displaying to a user an incident ticket for each incident 
declared, the incident ticket including one or more user- 
editable incident tracking rules which identify one or more 
further alert indications for association with the incident 
ticket ; 
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wherein the user uses a menu on the incident ticket to 
display a tracking update feature for editing the user-editable 
incident tracking rules; and 

wherein the user edits the user-editable incident tracking 
rules to change the one or more further alert indications for 
association with the incident ticket. 



24. (New) The method of claim 23 wherein the user- 
editable tracking rules include a source IP address, at least 
one target IP address, a conjunction, an attribute name, a 
condition, and an attribute value. 



25. (New) The method of claim 23 wherein the information 
contained in the alert indications relates to an unauthorized 
access attempt into the enterprise. 

26. (New) The method of claim 25 wherein the information 
contained in the alert indications relates to a port scan. 
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